OWASP Top 10 — Web Application Security

We went through an audit by an external penetration tester and the results were instructive. OWASP Top 10 is a minimum, not a maximum.

SQL Injection¶

Still number one. In JPA: use parameterized queries. Never JPQL with user input. For native SQL: PreparedStatement, never Statement.

Output encoding — every output to HTML must be escaped. In JSF this is the default (EL expressions). Watch out for h:outputText with escape=false.

CSRF token in every form. JSF has built-in CSRF protection (ViewState). For REST APIs: custom token in an HTTP header.

HTTPS everywhere. Cookie flags: Secure, HttpOnly, SameSite. Session timeout of 30 minutes (15 for banking). Session ID regeneration after login.

Apache reverse proxy adds: X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security.

Every application must go through a security audit. Internal code review is not enough — you need an external penetration test.

owaspsecurityjavaweb

Stavíme core systémy a AI agenty, které drží provoz. 15 let zkušeností s enterprise IT.

Our experts can help with design, implementation, and operations. From architecture to production.